The cross-site scripting attack is an attack on web applications which allow a hacker to inject malicious scripts to perform malicious actions. The malicious script is executed on the browser side, which makes this attack very powerful and critical.

You can have more information about the attack with some good articles here:

In this article, we will discuss how can we use an image to perform XSS attacks from simple to advanced exploitation.

Let’s go deeper

Let’s pretend we want to inject a JS script directly, how can we do it?

You have to know that if the webmaster/administrator of a platform permits execution of JS scripts from the same domain. If so, we can exploit that!

The target just has to have a WYSIWYG editor that permit writing HTML code and downloading images. This is sufficient for a hacker to create a script and inject it into an image, or create an image with an injected payload.

What’s a payload? Simply, It is a script that executes malicious actions.

Before going deeper into the exploitation, I advise you to read the articles related to these vulnerabilities that I shared with you at the beginning of the article

Now imagine that we can exploit XSS with an image. Can we insert it as a comment on an Article? A Blog? With a BEeF hook or another exploitation framework?

The results would be chaotic.

Now, How Can We Do It?

For the exploitation, you will need this script to inject JavaScript into a gif:

Figure 4: The part of the exploit that handles the injection of the payload

Finally, The Exploitation

Once you have downloaded the script, tape the following command that permits one to adapt the execution of the script into the Linux environment (the environment used is Kali Linux)

Figure 5: Adaptation of the script into Unix environment

Then, let’s inject our test script into the image with the following command (we will do the test with a gif image so that we will use the gif injector script ➔ The first one). This is just a simple payload that will show you a JavaScript alert with the message “Learn XSS with gif,” but in a real scenario, an attacker will try to steal your cookie, inject hook (like BEeF one), redirect you to a malicious site such as:

Figure 6: Injection of the XSS payload into the gif image

The result image will change from [image_name].gif to [image_name]_malw.gif.

Now we have injected our script into our image; we can use it as an HTML page with the following script, that is automatically generated:

Figure 6: HTML Script to execute the image

Ethical Hacking Training – Resources (InfoSec)

The image and script source is the output image.

Now let’s copy all the content of the directory, and put it into the /var/www directory, then run the apach2 service:

Figure 7: Starting APACH2 service

Then run the HTML page into your browser and SURPRISE:

Figure 8: Execution of the injected XSS payload

We can also exploit with a redirection like this:

Figure 9: Injection of redirection payload

We can also do it in C or ASM, not just in with Python; you can have more information there:

How to prevent it

The prevention of this type of exploitation is very difficult, but you can provide it with the following points:

Always filter user input

Use whitelist for the elements loaded, even if it is from the same domain

Use high-level models: MVC, PEAR, SRUTS…

Use a token based system

Moreover, always remember never to let the user write into HTML anywhere on your platform, it is the most important thing.

Conclusion

The XSS vulnerability is one of the most powerful vulnerabilities on the web, so never underestimate it and never forget that it can be exploited not just with a vulnerable URL, but also can be injected into content like images like we just saw.

In the next articles, we will discover how we can exploit XSS into applications and some advanced exploitations.

Kondah Hamza is an expert in it security and a Microsoft MVP in enterprise security. He is also involved with various organizations to help them in strengthening of their security. Today, he offers his services mainly as Consultant, Auditor/Pentester and Independent Trainer with Alphorm.com.

One response to “How to Exploit XSS with an Image”

Hi, I am not an expert in security issues, but I got an idea reading about the exploitation with an image, if we create a new image after uploading and copy the uploaded image pixel by pixel to the new image with commands of the GD Library and use the new image afterwards, if the uploaded file wouldn#t be an image, we get an error at copying, would it be a protection against XSS?

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

8 − =

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam